允许kubernetes应用程序访问其他AWS资源吗? [英] Allow kubernetes application to access other AWS resources?

问题描述

我想使用kubernetes在AWS EKS中部署应用程序.我的应用程序需要访问SQS和AWS S3.我不确定如何允许kubernetes应用程序访问SQS和S3.我调查了RBAC，但我猜想RBAC仅提供管理集群，名称空间或Pod的权限.

I want to deploy an application in AWS EKS using kubernetes. My application needs to access the SQS and AWS S3. I am not sure how to allow the kubernetes application to access the SQS and S3. I looked into RBAC but I guess RBAC only provides access to manage the cluster, namespace or pods.

我试图将访问密钥和秘密密钥作为秘密传递给环境变量并允许权限.但是我认为这不是一个好主意.

I am trying to pass the access key and secret key as the secrets to the environment variable and allow the permission. But I think this is not a good idea.

是否还有其他方法，例如创建IAM角色并将该角色传递给运行应用程序的Pod? 如果我尝试在worker节点角色中提供许可，则共享该节点的所有pod都将获得该许可.我需要像特定的容器或容器这样的东西才能获得许可

Is there any other way like creating the IAM role and passing the role to the pods running the application? If I try to provide the permission in the worker node role then all the pods sharing the node will get that permission. I need something like the specific pod or container will get the permission

我还尝试创建RBAC，在该RBAC中将角色分配给该组，然后将该组绑定到名称空间.

I also tried to create the RBAC in which a role is assigned to the group and the group is bind to the namespace.

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: default
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxx:role/EksWorkers-NodeInstanceRole-xxxxx
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
    - rolearn: arn:aws:iam::xxxxxxxxx:role/iam-role-for-application
      groups:
        - app-group

和

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admins
  namespace: default
subjects:
- kind: Group
  name: app-group
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

推荐答案

aws-auth configMap用于将用户/角色映射到集群.

aws-auth configMap is used to map users/roles to the cluster.

更新:这是您本机可以完成的操作

Update: Here is how you can do it natively

https://aws. amazon.com/blogs/opensource/introducing-fine-grained-iam-roles-service-accounts/ https://docs. aws.amazon.com/en_pv/eks/latest/userguide/iam-roles-for-service-accounts.html

要为Pod赋予IAM角色，您可以使用以下工具之一

For giving an IAM role to pods you can use one of the below tools

https://github.com/jtblin/kube2iam

https://github.com/uswitch/kiam

亚马逊团队正在努力将其本地化

Amazon team is working on to bring this natively

https://github.com/aws/containers-roadmap /projects/1?card_filter_query = iam https://github.com/aws/containers-roadmap/issues/23

这篇关于允许kubernetes应用程序访问其他AWS资源吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！